3 Answers
3

The path to "bad things happening" would be to use that account to exploit any services listening remotely that are unpatched, then possibly use another type of attack to elevate to admin. Now that they have admin, if there is any service or process running on the box with domain admin or other elevated rights they can gain the password has of that account and then they own your network.

So the first rule would be limit the ports/services they can access, and then ensure systems are fully patched monthly, including the apps.

If an attacker has a username and password on any system, their chances of successfully attacking that server have increased compared to the attacker who has no such details. There isn't anything mythical about this: Even if they can't directly use the compromised credentials, more information is always better than less information.

Some systems might be configured in a more secure (or less secure) manner than others, the specific user might have specific privileges depending on the reason it was created, making the risk higher or lower in certain circumstances, and if the user is connected with, say a database or web app or other server application then at the very least it might be used to steal information, which is arguably a larger problem than "merely" rooting a system for the sake of it but doing nothing else.

This isn't really operating system specific; I would keep the comments above exactly as they are regardless of the OS being discussed.

If the user has Terminal Services login rights on the system (or if it's a domain account, any other systems on the domain), then an attacker can do whatever he likes to the servers as if he were logged in at the keyboard, up to the security cred limits of that account.

However, we've seen soooo many examples of unpatched services and apps, that resulted in elevated rights when attacked in specific ways (SQL injection, buffer overflows, you name it).

Each account on the system is a vulnerability, and as such, you should always be vigilant about how much access users have, how often they change passwords, how strong their passwords are, and how and to what they are allowed to log on. My policy is pretty simple "Give them what they need when they need it, and nothing else." If that means disabling accounts during non-work hours, or locking accounts while people are on vacation, or shutting off terminal access until someone says "I need to log into this system"... so be it.

I'd rather be hassled by legit requests than kept up at night by hacker issues.